NIST – Requirements | LogRhythm Documentation

NIST 800-53 Rev 5

Control	AIE Rules & Alarms	Investigations	Summary Reports
AC-2	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: Vulnerability Detected Summary
AC-6	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-7	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Distributed Brute Force CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv	CCF: Access Failure Summary CCF: Audit Log Summary CCF: Auth Failure Summary
AC-10	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-16	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AC-17	CCF: Abnormal Origin Location CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Non-Encrypted Protocol Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-18	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-20	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AC-21	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-23	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AC-24	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Non-Encrypted Protocol Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AC-25	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Non-Encrypted Protocol Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AU-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AU-4	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary
AU-5	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Time Sync Error Summary
AU-6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AU-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AU-8	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Modified CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Time Sync Error Summary
AU-9	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
AU-10	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AU-11	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Physical Access Inv CCF: Time Sync Error Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Physical Access Summary CCF: Time Sync Error Summary
AU-12	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AU-13	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
AU-14	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
AU-15	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
CA-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Non-Encrypted Protocol Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
CA-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
CM-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
CM-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
CM-6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
CM-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
CM-8	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary
CM-11	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary
CM-12	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
CP-6	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Physical Access Summary CCF: Time Sync Error Summary
CP-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
CP-9	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Time Sync Error Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: User Object Access Summary
CP-13	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
IA-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-8	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-9	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IP-2	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-10	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IP-4	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IA-12	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
IP-3	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv	CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary
IR-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
IR-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
IR-6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
IR-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
IR-9	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
IR-10	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
MA-2	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Windows RunAs Privilege Escalation	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MA-3	CCF: Abnormal Amount of Data Transferred CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Windows RunAs Privilege Escalation	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MA-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MA-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MA-6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MP-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MP-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MP-6	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv	CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary
PA-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MP-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
MP-8	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PA-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PE-2	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PE-3	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PE-4	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PE-5	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PE-6	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PE-7	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PE-8	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PL-4	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PE-17	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PL-8	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PL-9	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PM-14	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Time Sync Error Summary
PM-6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PM-12	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PM-17	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PM-23	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
PM-26	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PS-4	CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Unknown User Account Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PS-5	CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Unknown User Account Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PS-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PS-8	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
RA-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RA-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RA-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SA-3	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Patch Activity Inv CCF: Signature Activity Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Patch Activity Summary CCF: Signature Activity Summary
SA-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SA-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SA-9	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SA-10	CCF: Abnormal Amount of Data Transferred CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Blacklisted Account Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SA-18	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SA-19	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SC-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SC-3	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SC-4	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SC-5	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Denial Of Service Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Denial Of Service Inv	CCF: Audit Log Summary
SC-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SC-8	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SC-10	NetMon	NetMon	NetMon
SC-13	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Use Of Non-Encrypted Protocols Summary
SC-16	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Time Sync Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Use Of Non-Encrypted Protocols Summary
SC-18	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SC-20	NetMon	NetMon	NetMon
SC-21	NetMon	NetMon	NetMon
SC-22	NetMon	NetMon	NetMon
SC-23	NetMon	NetMon	NetMon
SC-24	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Patch Activity Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SC-26	LogRhythm Honeypot Security Analytics Suite	LogRhythm Honeypot Security Analytics Suite	LogRhythm Honeypot Security Analytics Suite
SC-27	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Patch Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Vulnerability Detected Summary
SC-28	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SC-31	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Patch Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Vulnerability Detected Summary
SC-35	LogRhythm Honeypot Security Analytics Suite	LogRhythm Honeypot Security Analytics Suite	LogRhythm Honeypot Security Analytics Suite
SC-36	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SC-38	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SC-40	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Malware Detected Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Malware Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary
SC-41	NetMon
SI-2	CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Windows RunAs Privilege Escalation	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Patch Activity Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv	CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Patch Activity Summary CCF: Signature Activity Summary
SI-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SI-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SI-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SI-6	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
SI-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
SI-8	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Critical Event After Attack CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Malware Detected Inv CCF: Password Modification Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Malware Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: Vulnerability Detected Summary
SI-10
SI-11	CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Critical Environment Error Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Critical Environment Error Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Time Sync Error Summary
SI-12	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Social Media Event	CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Social Media Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Social Media Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
SI-14	CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Security Event CCF: Compromise Detected Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Host Access Granted And Revoked Inv CCF: Malware Detected Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Compromises Detected Summary CCF: Host Access Granted And Revoked Detail CCF: Malware Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: Vulnerability Detected Summary
SI-15	NetMon	NetMon	NetMon
SI-16	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Social Media Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Social Media Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
SI-17	CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Critical Environment Error Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Time Sync Error Summary
SI-18	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
SI-19	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary

NIST 800-171

Control	AIE Rules & Alarms	Investigations	Reports
3.1.1	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.1.5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.8	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.10	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.12	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.1.13	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Use Of Non-Encrypted Protocols Summary
3.1.14	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.15	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.16	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.17	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.18	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.19	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.20	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.1.21	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary
3.3.1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.3.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.3.3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.3.4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.3.5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.3.6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.3.7	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Modified CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Time Sync Error Summary
3.3.8	CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Software Install Rule CCF: Software Uninstall Rule	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
3.3.9	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.4.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.4.3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.4.6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.5.1	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.5.2	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.5.3	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.5.10	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Audit Log Summary CCF: Use Of Non-Encrypted Protocols Summary
3.6.1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.6.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.6.3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.7.1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.7.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.7.6	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.8.1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.8.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.8.5	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.8.7	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
3.8.8	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
3.8.9	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Physical Access Summary CCF: Time Sync Error Summary
3.9.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.10.1	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.10.2	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.10.3	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.10.4	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.10.5	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
3.13.1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.13.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.13.4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.13.8	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Social Media Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.13.15	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.13.16	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.14.1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.14.2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.14.3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.14.4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
3.14.6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
3.14.7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary

NIST CCF

Control	AIE Rules & Alarms	Investigations	Reports
ID.AM-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: Vulnerability Detected Summary
ID.AM-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
ID.RA-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
ID.SC-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
ID.SC-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PR.AC-1	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.AC-2	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
PR.AC-3	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.AC-4	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.AC-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: Vulnerability Detected Summary
PR.AC-6	CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.AC-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.DS-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.DS-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.DS-3	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Software Install Rule CCF: Software Uninstall Rule	CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv	CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary
PR.DS-4	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Backup Information CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary
PR.DS-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PR.DS-6	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm CCF: Time Sync Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Use Of Non-Encrypted Protocols Inv	CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Use Of Non-Encrypted Protocols Summary
PR.DS-8	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.IP-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.IP-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.IP-4	CCF: Abnormal Amount of Data Transferred CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Backup Failure Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm	CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Critical Environment Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Physical Access Inv CCF: Time Sync Error Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Physical Access Summary CCF: User Object Access Summary
PR.IP-6	CCF: Abnormal Amount of Data Transferred CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: LogRhythm Silent Log Source Error Alarm CCF: Non-Encrypted Protocol Alarm	CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Audit Log Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary
PR.IP-9	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PR.MA-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.MA-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.PT-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
PR.PT-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.PT-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Signature Activity Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Signature Activity Summary CCF: Term Account Activity Summary CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
PR.PT-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Disabled Account Auth Success CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary
DE.AE-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.AE-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.AE-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.AE-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.CM-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.CM-2	CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Excessive Authentication Failure Rule CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm	CCF: Audit Log Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv	CCF: Audit Log Summary CCF: Physical Access Summary
DE.CM-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.CM-4	CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Security Event CCF: Compromise Detected Alarm CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm	CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv	CCF: Audit Log Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary
DE.CM-6	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.CM-7	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.CM-8
DE.DP-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
DE.DP-5	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.RP-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.CO-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.AN-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.AN-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.AN-4	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.MI-2	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RS.MI-3	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary
RC.RP-1	CCF: Abnormal Amount of Data Transferred CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Attack then External Connection CCF: Audit Log Cleared Alarm CCF: Audit Logging Stopped Alarm CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Backup Failure Alarm CCF: Backup Information CCF: Blacklist Location Auth CCF: Blacklisted Account Alarm CCF: Compromise Detected Alarm CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Critical Event After Attack CCF: Critical/PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: Critical/PRD Envir Signature Failure Alarm CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alarm CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: Early TLS/SSL Alarm CCF: Excessive Authentication Failure Rule CCF: External Brute Force Auths CCF: Failed Audit Log Write Alarm CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: LogRhythm Silent Log Source Error Alarm CCF: Malware Alarm CCF: Misuse CCF: Multiple Account Passwords Modified by Admin CCF: Non-Encrypted Protocol Alarm CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Rogue Access Point Alarm CCF: Social Media Event CCF: Software Install Rule CCF: Software Install Fail Alarm CCF: Software Uninstall Rule CCF: Software Uninstall Fail Alarm CCF: Suspected Wireless Attack Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Vulnerability Detected Alarm CCF: Windows RunAs Privilege Escalation	CCF: Account Modification Inv CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Time Sync Error Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Vulnerability Detected Inv	CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Account Modification Summary CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Host Access Granted And Revoked Detail CCF: LogRhythm Data Loss Defender Log Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Term Account Activity Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Unknown User Account Detail CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary